Computers. Circuits. Code.

Upgrading the Kyocera KR2 With the CradlePoint MBR1000 Firmware

Oct 15, 2012

This is the first post in my quest to get my Kyocera KR2 running some
more modern firmware. For those of you who don't know, The CradlePoint
MBR1000 3G/4G wireless router is essentially a rebranded Kyocera KR2
with different firmware and no PCMCIA slot. Internally, the hardware is
exactly the same (except for the PCMCIA card slot). The MBR1000's
firmware is more up-to-date than the KR2 firmware with support for more
3G and 4G cellular cards, so I wanted to see if I could upgrade the
firmware. If I do eventually get this to work, I'll probably lose the
PCMCIA card slot functionality, but it will be worth it.

Here's what I have so far:

The MBR1000 has two firmware files, both with the .bin
extension. The second firmware file contains the modem drivers and is
not relevant. The first firmware file, however, is much more
interesting. Here's the output after I ran binwalk on
the u_mbr_2012_04_16.bin file:

It turns out that you can actually extract files from this archive (it's
called an ARJ; I've never heard of that kind of archive before). So,
using "The Archive Browser" on my Mac (it's a very good utility, by the
way), I extracted a file called
nightlies/mbrcore_2_0_0_Release_2012_04_16/build/bin/img.bin from it.
This is what it's called when I extract it using The Archive Browser.
When I use 7-Zip to extract it, instead of getting that directory
structure in the file name, the directory structure is actually visible
inside 7-Zip and you can browse through it. There aren't any additional
files, though, so either way you get an image file out of it. Here's the
binwalk output for that file:

Wow! I wish I had this program a few years ago... Anyways, this is all
very interesting stuff. The PNG (if you haven't already guessed from the
size) is the favicon for the web interface; I have no idea what the TIFF
is; after a little poking around, I found that the "8289 x 256" GIF is
simply a spinning "loading" disk from here; and
that last GIF is just some sort of simple footer image. All in all,
nothing too special here. On to the Kyocera firmware!

The KR2 only uses one firmware image,
the latest is called ZE1004.bin. Here's the binwalk output for it:

Unfortunately, I wasn't able to extract anything from ZE1004.bin. Oh,
well.

Noting that ZE1004.bin and u_mbr_2012_04_16.bin both had Ubicom
firmware headers, I decided to compare them using "Hex Fiend." From that
hex comparison, I found that that the two files are remarkably similar.
First of all, they are cllose to each other in filesize (1.7 and 1.5
MB). Second, for the first 1.5 kB, there are only 37 differences with
many of them being simple byte replacements. After that, the files
become very different for a little over a megabyte. After that
difference, though, there's a bunch of "FF" bytes and these continue
until the end of the file where there is a 4 byte value that varies by
one byte between the two files and is certainly not a checksum. In the
MBR1000 file, you could remove around 200 kB worth of "FF" after the
main code block and make it the same size as the KR2 file. After looking
through the two files, it seems as though the KR2 file has much more
code than the MBR1000 file, but this can be explained by the fact that
the KR2 firmware has its modem drivers built-in.

At this point, I believe that if I can change the MBR1000 firmware to
look like the KR2 firmware a little, I'll be able to trick my Kyocera
KR2 into upgrading from the MBR1000 firmware file.